Difference between #2 and #4 of
Configuring controller access rules to default-deny


Title unchanged

Configuring controller access rules to default-deny

Category unchanged


Yii version unchanged

Tags changed

accessRules, security, access control

Content changed

return array(
array('allow', // allow authenticated users to access all actions
,  // deny all users
), ); } ... ``` Access rules -- when enabled with the `accessControl` token in `filters()` -- are processed in order, from top to bottom, stopping at the first match. It's a common practice to place a deny to all at the end, as a catchall to insure that only intended users have access to this controller's actions.

But if no matches are made, Yii defaults to **allow**, and for many applications this is insecure and dangerous behavior. A developer not paying attention to his rules could find unauthorized users doing unauthorized things.
Ref: [Extending common classes to allow better customization](http://www.yiiframework.com/wiki/121/extending-common-classes-to-allow-better-customization/)

Our approach is to fetch the current controller's `rules()`
-- which are defined in the real controller class for the particular set of actions -- and add a default-deny to the list, then process the filters as the original `CController` code would:

// default deny
$rules[] = array('deny'
, 'users'=>array('*') );

$filter = new CAccessControlFilter;
return array(
// other rules here
deny', 'users'=>array('*')allow') // default allow
Even those not implementing this article's technique would do well to add the default-allow rule even though it would be handled by Yii automatically so that others reading the code would **know** this was intended behavior.
11 0
Viewed: 100 134 times
Version: 1.1
Category: How-tos
Written by: Steve Friedl
Last updated by: nsanden
Created on: Apr 4, 2011
Last updated: 7 years ago
Update Article


View all history